Security advisories are commonly used to describe information system vulnerabilities. These advisories provide information regarding specific characteristics associated with a vulnerability, such as an affected software platform product, remediation patches, a public disclosure date, a type of impact on the affected platform product, and so on.
Currently, there are many vulnerability advisory producers or sources. These sources span different levels of information detail, product vendors, and public or governmental institutions. Each vulnerability advisory source typically has its own proprietary format, which may overlap the formats used by other sources. Some sources may incorporate into their advisories vulnerability information that other sources do not. Various product vendors or security institutions such as the Computer Emergency Response Team—Coordination Centre (CERT/CC) operated by the Carnegie Mellon Software Engineering Institute or the SysAdmin, Audit, Network, Security (SANS) Institute, for instance, produce vulnerability notes on a regular basis. The heterogeneous nature of vulnerability information sources can result in a lack of consistency among vulnerability advisories.
Although there are de-facto standards for various aspects of vulnerability information reporting, not all sources use those standards. Even where multiple sources provide advisories formatted in accordance with the same standard, the particular types and content of the vulnerability information provided by those sources may vary.
The Common Vulnerabilities and Exposures (CVE) scheme gives a unique name to a vulnerability that may have been found by multiple entities. This assures that disparate vulnerability databases will still use a common name for the same vulnerability. CVE provides a way to identify information for the same vulnerability in different data feeds, by associating a specific name with a vulnerability. This name, along with a short description of the vulnerability, is made publicly available via a centralized repository. Vulnerability information sources using the CVE naming scheme can then provide vulnerability information for the same vulnerability using a common name. This approach, however, only links vulnerabilities from different sources, providing all of the sources support the CVE naming scheme, without consolidating the actual content associated with different vulnerabilities identified under the same CVE name. The CVE scheme relates only to vulnerability naming, and does not specify a format or content for vulnerability information that may be associated with a named vulnerability.
The Common Vulnerability Scoring System (CVSS) was developed through the National Infrastructure Advisory Council (NIAC) and is currently administered by the Forum of Incident Response and Security Teams (FIRST). The CVSS provides a common scheme and process for evaluating vulnerabilities according to particular criteria. Although the CVSS scheme is intended to be objective, different entities generally have different experience and knowledge of exploited platforms, for example, such that the same vulnerability may be assigned different CVSS scores by different sources. Further, while the CVSS includes a rating scheme against particular criteria, information details about a vulnerability are still left to the format of each source.
Manually compiling and making consistent vulnerability information from multiple sources, and for an increasing number of new vulnerabilities, is not only labor intensive but also error prone.
In addition to the “formatting” aspects of the problem, there is an additional “historical” aspect. Over time, some of the sources may vanish or relocate to different web site for instance, some advisories may vanish, some may change subscription requirements, and indeed some sources may be “push-only” sources. Given all of these different problems, it is difficult to gather a complete set of the advisories.
Thus, there remains a need for improved vulnerability information handling techniques.